CN101017525A - Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology - Google Patents
Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology Download PDFInfo
- Publication number
- CN101017525A CN101017525A CN 200710064188 CN200710064188A CN101017525A CN 101017525 A CN101017525 A CN 101017525A CN 200710064188 CN200710064188 CN 200710064188 CN 200710064188 A CN200710064188 A CN 200710064188A CN 101017525 A CN101017525 A CN 101017525A
- Authority
- CN
- China
- Prior art keywords
- certificate
- memory device
- usb memory
- module
- usb
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
This invention relates to one USB memory data anti-leakage system based on certificate and transparent coding technique, which comprises the following parts: one certificate management software; certificate servo with physical isolation and network protection actions, inner network host to customer end with customer end software; safety USB memory device by multiple common USB devices through the servo. The method comprises the following steps: a, separately fixing certificate management software and customer end software in network servo and each host; b, executing safety initial process in certificate servo on USB memory device; c, sending the memory device to inside user; d, safety USB memory device is for normal use.
Description
Technical field
The present invention relates to a kind of data anti-disclosure system and method that is used for the USB memory device of each enterprises and institutions' internal network, exactly, relate to a kind of USB storage device data anti-disclosure system and using method thereof, belong to the data security field in the information security based on digital certificate authentication and transparent encryption technology.
Background technology
Now, people are more and more with the media of computing machine as canned data, and use the USB memory device to come exchange message continually, on these equipment, not only deposit the personal information and the information that relate to privacy, but also comprise the business datum of enterprises and institutions and the important information of inside, in case these loss of datas or be stolen all will produce heavy losses to enterprise or individual.Therefore, data security has become the most important thing that current information security is built.Utilize the technical scheme of data encryption can protect data security on the data storage devices such as being stored in hard disk, USB memory device.Even memory device is stolen, the user still can relieved data can not browsed or obtain by unauthorized people.
At present, adopt the hardware and software technology to realize the encryption storage of data usually, below brief description it.
(1) a lot of hardware manufacturing manufacturers have realized the encipherment protection of data all data on its hardware being protected all from hardware, greatly reduce the risk that confidential data is revealed like this.
This technology mainly be with certain means on disk, be provided with can't normal replication information, with this information of verification, and determine the legitimacy of operation during the specific program operation.Fairly simple example is operation or when a certain program is installed, and need insert one " key floppy disc " in the driver the inside, does not have correct " key floppy disc ", and this program can not be moved or some function is limited.And this key floppy disc can not duplicate by diskcopy.The another kind of current encryption technology that generally adopts is to make some improper magnetic track or sectors on disk, and application program is determined the legitimacy of disk by these pass points of verification.But for the just-plainfolk, these equipment often cost an arm and a leg, and difficult in maintenance, cause a lot of users to hang back.
(2) store from the encryption of software realization data.Most of in the market this series products all is the enciphered data of passive type, promptly has only when the user chooses certain document that need encrypt storage, just begins data are encrypted and stored.This implementation uses very inconvenient, after the user changes document at every turn, all needs again document to be encrypted, and has influenced user's office efficiency so greatly.In addition, this method is easy to be neglected by the user and cause damage: if the user has forgotten document is encrypted, and think that document encrypted, so by network or other approach document is transferred out, will cause the leakage of information like this.
In order to overcome the deficiency of conventional cryptography software, produced a kind of new software encryption technique, it can either satisfy the data storage safe requirement, can accomplish that again the user operates and advantages such as convenient management.This technology is utilized the characteristic of Windows kernel layer-management, by the developing kernel filter drive program, under the prerequisite that does not change original file system work, realizes the transparent encryption to data.Like this, after the user only need carry out easy configuration, just can realize the encryption storage of data safely relievedly.
Now, adopt the software (for example going up the USB safe storage expert of the soft Information technology of Hisoon company limited) of this new technology to adopt the mode of " Long-distance Control, centralized management, the unified configuration " on the market, controlling for the whole USB port of enterprises and institutions provides total solution.But it can't satisfy the diversity demand of user to encipherment scheme, and the user can't select cryptography scheme respectively according to needs separately, also the cryptography scheme of self can't be incorporated in the system.
In addition, now the function as the USB memory device of mobile storage is very powerful, uses also more and more general.But,, owing to lack security control and auxiliary management tool, also brought the risk of possible leakage of data simultaneously enjoying the while easily of using the USB memory device to bring.In enterprise or department's internal network, the employee just can arbitrarily take company or department's internal data out of workplace with the USB memory device, the USB memory device that uses on the internal network also may be lost or be stolen or the like, and these situations all can cause divulging a secret of data.And, millions of kind USB memory device is arranged in the market, various inner confidential datas just flow in these USB memory devices always---and face simultaneously and lose or stolen risk, responsive company data is lost the potential loss that is caused, and all be geometric series growth doubly every day.Therefore, in this case, safety how to protect enterprises and institutions' data all is a challenge greatly for the IT department of each unit, and people more and more emphasize and must adopt necessary and appropriate safety practice at movable storage device.So, on existing data encryption technology, how to realize a kind of encryption safe at the USB memory device that moves, maintenance, convenient management, and the acceptable encryption technique scheme of user has become the new problem that ensures data information security, promotion message safety product.
Summary of the invention
In view of this, the purpose of this invention is to provide a kind of USB storage device data anti-disclosure system and using method thereof based on digital certificate authentication and transparent encryption technology, be used for preventing the generation of enterprise or department's internal network, guarantee the safe handling of the various data in the internal network because of the leakage of data incident using the USB memory device and may cause.
In order to achieve the above object, the invention provides a kind of USB storage device data anti-disclosure system based on certificate and transparent encryption technology, is the internal lan network that is used for each department or enterprises and institutions; It is characterized in that: this system comprises following parts:
Certificate server as control center, it is certificate management software to be installed and have been taked physical isolation and the network protection measure guarantees the webserver of its safety, reliability service, is used for finishing the initialization of USB memory device and the safety certification operation of USB memory device use;
A plurality of clients, it is the internal network main frame that client software has been installed, be used to realize to the use control of USB memory device and the read-write operation of USB memory device carried out transparent encryption and decryption handle, so that ban use of the generic USB memory device, can only use through the USB memory device after the security initialization processing;
A plurality of safe USB memory devices, it is through the equipment after the initialization process of certificate server, with the illegal use that prevents the USB memory device or lose the leakage of data that causes by the generic USB memory device.
The system running environment that described client and server requires is operating system Windows 2000, XP, 2003 or Vista, and the hardware of supporting the aforesaid operations system.
Certificate management software in the described certificate server comprises following six functional modules:
Certificate database is used to preserve the certificate information of having issued, and mutual with various functional modules, finishes corresponding certificate issuance, authentication and maintenance function;
The management platform module is used to provide the user interface of the various man-machine interactions of checking, increase, deleting or revising of the operation start that comprises user's initialization USB memory device, certificate repository information;
The certificate issuance module is used for accepting the instruction of management platform module, for the USB memory device is issued certificate when the initialization of USB memory device;
The certificate maintenance module is used for accepting the instruction of management platform module in the use of USB memory device, the operation that the various certificate data in the certificate repository are checked, increase, deleted or revise;
With the client communication module, be used for and the client software of main frame between communicate, finish the safety certificate of USB memory device and transmit the certificate private key function;
The certificate verification module is used to finish the authentication of the USB memory device certificate that client is used.
Client software in the described client comprises following five functional modules:
USB memory device plug monitoring module is used for detecting automatically the plugging condition of the USB memory device on the client host, in case when having detected the USB memory device and inserting, call the USB memory device automatically and use control module;
The USB memory device uses control module, adopts the certificate verification mode, and whether control USB memory device is allowed to use on client host, promptly forbids being used for client host without the USB memory device of security initialization;
With the certificate server communication module, be used for communicating with certificate management server, the certificate verification of assisting the USB memory device to use control module to finish jointly on the USB memory device is operated;
Transparent encryption and decryption module, driver as the system kernel layer, call enciphering and deciphering algorithm and realize that module comes read-write operation to the safe USB memory device that uses on the client host to carry out transparent encryption and decryption and handle, and have the transparent encryption and decryption processing capacity of filename/folder name;
Enciphering and deciphering algorithm is realized module, adopt this module of The Component Object Model COM (Component Object Model) technological development, its form of software is dynamic link library (DLL) (Dynamic Link Libraries) or EXE file, is used to finish the transparent encryption and decryption processing that reads and writes data of USB memory device; Key setting, data encryption, three functional interfaces of data decryption externally are provided, and this module can realize dynamic replacement by the client, and the com component dynamic base that promptly meets this modular design requirement can directly be replaced use, to change enciphering and deciphering algorithm.
In order to achieve the above object, the present invention also provides a kind of using method of the USB storage device data anti-disclosure system based on certificate and transparent encryption technology, it is characterized in that, comprises following operation steps:
(1) difference erecting act management software and client software in the webserver and each main frame;
(2) at certificate server the USB memory device being carried out security initialization handles: by certificate server is that each USB memory device generates new unique certificate, and the certificate information that will encrypt writes the untapped hiding sector in the USB memory device, so that earlier each USB memory device is authenticated in use, determine whether this USB memory device allows to use on main frame;
(3) initialized safe USB memory device is provided to internal user used: because of the certificate information of encrypting is hidden on the equipment, the user is difficult to duplicate and discern, common deletion or high-level formatting operation can not destroy certificate information yet, can guarantee that safe USB memory device is not by counterfeit or damage easily; And filename/folder name of storing on the safe USB memory device all realized the transparent encryption processing, guarantees data security;
(4) the normal use of safe USB memory device: client software and certificate server initiatively authenticate each the USB memory device that inserts client respectively earlier, again the reading and writing data of USB memory device by authentication are done transparent encryption and decryption processing; User's using method is as the generic USB memory device.
Described step (2) further comprises following content of operation:
Described step (4) further comprises following content of operation:
(40) safe USB memory device is inserted on the client host;
(41) plug of the USB memory device in client software monitoring module detects equipment in real time and inserts message, and notice USB memory device uses control module;
(42) the USB memory device uses control module to read the certificate information of encrypting on the hiding sector, and calls and the certificate server communication module, by this communication module the certificate information of encrypting is sent to certificate server, requests verification;
(43) the certificate management software in the certificate server carries out safety verification to the certificate information of this encryption, and will verify that the result sends to client;
(44) in the client software receive certificate server checking result with the certificate server communication module after, will verify that the result delivers USB memory device use control module and reads and judge; If the verification passes, then continue to carry out subsequent operation; Otherwise the USB memory device uses control module to unload the USB memory device automatically, forbids its use, and jump procedure (49), finishes all operations;
(45) the USB private key corresponding with this certificate that use control module that certificate server is returned is set to transparent encryption and decryption module, so that the key that private key is handled as the transparent encryption and decryption of corresponding USB memory device;
(46) transparent encryption and decryption module is intercepted and captured the read-write operation of disk, and uses current key to call enciphering and deciphering algorithm realization module the data of each read-write operation are carried out transparent encryption and decryption processing; Simultaneously transparent encryption and decryption is done in the storage and the demonstration of filename/folder name;
(47) after the USB memory device was extracted by the user, USB plug monitoring module detected equipment in real time and extracts message, promptly notifies USB to use control module;
(48) the USB encryption and decryption key that uses control module to notify transparent encryption and decryption module to use is just now destroyed;
(49) finish.
Described certificate adopts asymmetric cryptosystem, and promptly each digital certificate is all to having certificate PKI and private key; And transparent enciphering and deciphering algorithm adopts DSE arithmetic, promptly has only a key, and transparent enciphering and deciphering algorithm adopts the private key of encrypted certificate as its key.
Described step (43) further comprises following content of operation:
(431) in the certificate server certificate management software receive certification authentication request and ciphertext certificate with the client communication module;
(432) send this certification authentication request and ciphertext certificate to the certificate verification module with the client communication module;
Whether (433) certificate verification module is decrypted processing to the ciphertext certificate, and makes comparisons with the corresponding data in the certificate database, legal to verify this certificate;
(434) certificate verification module with legal/illegal checking result by returning to client with the client communication module; And if certificate is legal, need the private key of this certificate is returned to client simultaneously.
The described method that the certificate information of encrypting is write in the untapped hiding sector of USB memory device is: when formatting diskette, the sector that every kind of file system all leaves some is not used, and these sectors that are not used are according to the difference of file system and the position on disk is different; Choose some safe sectors by test again and be used to preserve certificate information, and actual write the sector before, carry out safety detection earlier, guarantee that this sector is not used;
The described method that transparent encryption and decryption is done in the storage and the demonstration of filename/folder name is: on internal system network main frame, when the user opened USB memory device logical volume, the filename of demonstration was user-defined normal file name; But the time filename encrypted of actual storage on the disk; But do not installing on the main frame of client software, the filename of seeing when opening safe USB memory device all is a ciphertext.
The present invention has the following advantages with respect to prior art: system architecture is simple, with low cost, at hardware aspect except being webserver configures physical and the Network Isolation measure, almost without any other transformation task and expense input, only need to set corresponding software respectively, just can effectively stop the data leak risk of internal network because of using the USB memory device to cause at server and end host.Because system of the present invention issues different digital certificates respectively for each USB memory device, these certificates all are to be hidden in the not use subregion of USB memory device with the ciphertext form, are difficult to copy or forgery.And, the data of depositing on the USB memory device are ciphertexts, the certificate of each USB memory device and the key of data encryption all have nothing in common with each other again, and filename/folder name also is the ciphertext through transparent encryption, to reduce the risk of information-leakage, like this, the data and the filename/folder name that read on the USB memory device that uses in internal network other main frame externally all are ciphertexts, can't really discern it, can guarantee that the data of USB memory device can not leak.Only on the main frame of system of the present invention during the file in the identification USB memory device, after by client software filename being decrypted, the user just can see normal filename.In addition, Wai Jie generic USB memory device is owing to can not also just can not use on the main frame in internal network by the safety certification of internal network.
In addition, the present invention adopts the certificate verification mode to control the forbidding of USB memory device or available, and certificate is issued by system, and the USB memory device is not had any specific (special) requirements.The transparent encryption algorithm that the present invention adopts exists in The Component Object Model COM mode, and it is that a group of Microsoft's exploitation is used to realize the standard that the scale-of-two of software is reused.And, as long as the encryption and decryption interface of specific names is provided among the COM, need not to revise system software, replacing that just can implementation algorithm.Like this, the present invention just can support various software cryptography strategies and hardware encipher strategy, and the user can use software cryptography strategy or the hardware encipher device of oneself, and the function of transparence service can not be subjected to a bit restriction.Therefore, the present invention has good application prospects, be particularly useful for following environment: need to use the USB memory device in the internal institution work, and internal data is relatively more responsive, belong to secret of the trade or technology secret, need prevent that the employee from illegally using the USB memory device or with situations such as USB memory device device losses and cause and divulge a secret.
Description of drawings
Fig. 1 is that the structure that the present invention is based on the USB storage device data anti-disclosure system of certificate and transparent encryption technology is formed synoptic diagram.
Fig. 2 is that the certificate management software inhouse modular structure in the certificate server of the present invention is formed synoptic diagram.
Fig. 3 is that the client software internal module structure in the main frame of the present invention is formed synoptic diagram.
Fig. 4 is the using method operating process block scheme of USB storage device data anti-disclosure system of the present invention.
Fig. 5 is the idiographic flow block scheme of the USB memory device initialization operation among Fig. 4.
Fig. 6 is the concrete steps flow diagram of the normal use of USB memory device among Fig. 4.
Fig. 7 is the idiographic flow block scheme of the certificate verification process of the certificate server among Fig. 6.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
Referring to Fig. 1, introduce the USB storage device data anti-disclosure system the present invention is based on certificate and transparent encryption technology-the be used for internal lan network of each department or enterprises and institutions; This system comprises following parts:
Certificate server 1 as control center, it is certificate management software to be installed and have been taked physical isolation and the network protection measure guarantees the webserver of its safety, reliability service, is used for finishing the initialization of USB memory device and the safety certification operation of USB memory device use;
A plurality of internal network main frames 2 that client software has been installed, be used to realize to the use control of USB memory device and the read-write operation of USB memory device carried out transparent encryption and decryption handle that this main frame 2 bans use of the generic USB memory device, can only use the USB memory device after security initialization is handled;
A plurality of safe USB memory devices 3, it is by the equipment after the generic USB memory device process initialization process of certificate server, is called as " safe USB memory device " in system, does not pass through the generic USB memory device of initialization process to distinguish.
Referring to Fig. 2, introduce following six functional modules of the certificate management software in the certificate server 1:
Certificate database 11 is used to preserve the certificate information of having issued, and mutual with various functional modules, finishes corresponding certificate issuance, authentication and maintenance function;
Management platform module 12 is used to provide the user interface of the various man-machine interactions of checking, increase, deleting or revising of the operation start that comprises user's initialization USB memory device, certificate repository information;
Certificate issuance module 13 is used for accepting the instruction of management platform module, for the USB memory device is issued certificate when the initialization of USB memory device;
Certificate maintenance module 14 is used for accepting the instruction of management platform module in the use of USB memory device, the operation that the various certificate data in the certificate repository are checked, increase, deleted or revise;
Certificate verification module 15 is used to finish the authentication of the USB memory device certificate that client is used;
With client communication module 16, be used for and the client software of main frame between communicate, finish the safety certificate of USB memory device and transmit the certificate private key function;
Referring to Fig. 3, introduce following five functional modules of the client software in each main frame of the present invention:
Automatically detect the USB memory device plug monitoring module 21 of the plugging condition of the USB memory device on the client host, in case when having detected the USB memory device and inserting, this module 21 is called the USB memory device automatically and used control module 22.
Whether the USB memory device uses 22 of control modules to adopt the certificate verification mode to control the USB memory device and is allowed to use on client host, promptly forbids being used for client host without the USB memory device of security initialization.
What be used for communicating with certificate management server is used to assist the USB memory device to use control module 22 to finish certificate verification operation on the USB memory device jointly with certificate server communication module 23.
Transparent encryption and decryption module 24, driver as the system kernel layer, call enciphering and deciphering algorithm and realize that module 25 comes read-write operation to the safe USB memory device that uses on the client host to carry out transparent encryption and decryption and handle, and have the transparent encryption and decryption processing capacity of filename/folder name;
Adopt the enciphering and deciphering algorithm of The Component Object Model COM technological development to realize module 24, be used to finish the transparent encryption and decryption processing that reads and writes data of USB memory device; Its form of software is dynamic link library (DLL) or EXE file, key setting, data encryption, three functional interfaces of data decryption externally are provided, and this module can realize dynamic replacement by the client, the com component dynamic base that promptly meets this modular design requirement can directly be replaced use, to change enciphering and deciphering algorithm.
The system running environment that server and client side among the present invention requires is operating system Windows2000, XP, 2003 or Vista, and the hardware of supporting the aforesaid operations system.And the hardware device in the system (server, main frame and USB memory device) all is the common hardware device in the daily use, does not have any specific (special) requirements.
Referring to Fig. 4, describe each operation steps of the using method of USB storage device data anti-disclosure system of the present invention in detail:
(1) erecting act management software and client software respectively in the webserver and each main frame especially will guarantee the safety of server, and be special secret indoor except it being placed in one, also some safety practices will be set on network.After the All hosts on the internal network has all been installed client software, have only USB memory device just can on client host, use through security initialization.
(2) at certificate server USB memory device (flash disk) being carried out security initialization handles: so-called security initialization is exactly to generate new unique certificate by certificate server for each USB memory device, and the certificate information that will encrypt writes the untapped hiding sector in the USB memory device, so that earlier each USB memory device is authenticated in use, determine whether this USB memory device allows to use on main frame; Wherein write the certificate information of hiding the sector and be used for distributed key when inserting USB memory device that main frame prepares to use and authenticate with transparent encryption and decryption.The concrete operations of this step the contents are as follows (referring to Fig. 5):
(21) the USB memory device is inserted into certificate server;
(22) operation-interface that provides of the management platform module of keeper by certificate management software in the certificate server is selected initialization operation;
(23) the certificate issuance module of certificate management software generates new certificate, and the certificate information of this new encryption is written to the untapped hiding sector of USB;
(24) announced certificate information and this certificate private key are stored in the certificate database.
(3) initialized safe USB memory device is provided to internal user used: the safe USB memory device behind security initialization on the indoor certificate server of maintaining secrecy can be provided to internal user and use.Because of the certificate information of encrypting is hidden on the equipment, the user is difficult to duplicate and discern, and common deletion or high-level formatting operation can not destroy certificate information yet, can guarantee that safe USB memory device is not by counterfeit or damage easily; And filename/folder name of storing on the safe USB memory device all realized the transparent encryption processing, guarantees data security.
(4) the normal use of safe USB memory device: client software and certificate server initiatively authenticate each the USB memory device that inserts client respectively earlier, again the reading and writing data of USB memory device by authentication are done transparent encryption and decryption processing; User user rule is as using the generic USB memory device.This step is a most important operating process in the using method of the present invention, its concrete operations the contents are as follows (referring to Fig. 6):
(40) user inserts safe USB memory device on the client host of internal network;
(41) plug of the USB memory device in client software monitoring module detects USB device in real time and inserts message, and notice USB memory device uses control module;
(42) the USB memory device uses control module to read the certificate information of encrypting on the hiding sector, and calls and the certificate server communication module, by this communication module the certificate information of encrypting is sent to certificate server, requests verification;
(43) the certificate management software in the certificate server carries out safety verification to the encrypted certificate information of this USB memory device, and will verify that the result sends to client; These step concrete operations the contents are as follows (referring to Fig. 7):
(431) in the certificate server certificate management software receive certification authentication request and ciphertext certificate with the client communication module;
(432) send this certification authentication request and ciphertext certificate to the certificate verification module with the client communication module;
Whether (433) certificate verification module is decrypted processing to the ciphertext certificate, and makes comparisons with the corresponding data in the certificate database, legal to verify this certificate;
(434) certificate verification module with legal/illegal checking result by returning to client with the client communication module; And if certificate is legal, need the private key of this certificate is returned to client simultaneously.
(44) in the client software receive the checking result that certificate server sends with the certificate server communication module after, will verify that the result delivers the USB memory device and uses control module to read and judge; If the verification passes, then continue to carry out subsequent operation; Otherwise the USB memory device uses control module to unload the USB memory device automatically, forbids its use, and jump procedure (49), finishes all operations;
(45) the USB private key corresponding with this certificate that use control module that certificate server is returned is set to transparent encryption and decryption module, so that the key that private key is handled as the transparent encryption and decryption of corresponding USB memory device;
(46) transparent encryption and decryption module is intercepted and captured the read-write operation of disk, and uses current key to call enciphering and deciphering algorithm realization module the data of each read-write operation are carried out transparent encryption and decryption processing; Simultaneously transparent encryption and decryption is done in the storage and the demonstration of filename/folder name;
(47) after the user extracts the USB memory device, USB plug monitoring module detects equipment in real time and extracts message, promptly notifies USB to use control module;
(48) the USB encryption and decryption key that uses control module to notify transparent encryption and decryption module to use is just now destroyed;
(49) finish.
Below from the anti-principle of divulging a secret of three aspects explanation systems of the present invention: when (one) employee is brought into company or the inner use of department with own external USB memory device, because the security client software of main frame and the certificate management software of certificate server all require will carry out safety certification to the USB memory device earlier before use in the system of the present invention, so the external USB memory device through security initialization can't not use in this internal network at all, therefore this situation can not cause internal data to divulge a secret.When during the safe USB memory device that will use during (two) employee will work is taken out of and got home or public place, outside uses, because client software has carried out transparent encryption and decryption processing to the reading and writing data of safe USB memory device that use inside, the data that are written to the USB memory device all are ciphertexts, the user should take out of when using by safe USB memory device, can't read the data message that inside writes, and filename also is encrypted ciphertext, can not cause leakage of data.When (three) the inner safe USB memory device that uses was lost, this situation was similar with second kind of situation, and the stranger who obtains safe USB memory device can't read top data, can not cause leakage of data.
The USB storage device data anti-disclosure system and the using method thereof that the present invention is based on digital certificate authentication and transparent encryption technology have carried out in applicant's laboratory implementing test, and test is successful, has realized goal of the invention.
Claims (10)
1, a kind of USB storage device data anti-disclosure system based on certificate and transparent encryption technology is the internal lan network that is used for each department or enterprises and institutions; It is characterized in that: this system comprises following parts:
Certificate server as control center, it is certificate management software to be installed and have been taked physical isolation and the network protection measure guarantees the webserver of its safety, reliability service, is used for finishing the initialization of USB memory device and the safety certification operation of USB memory device use;
A plurality of clients, it is the internal network main frame that client software has been installed, be used to realize to the use control of USB memory device and the read-write operation of USB memory device carried out transparent encryption and decryption handle, so that ban use of the generic USB memory device, can only use through the USB memory device after the security initialization processing;
A plurality of safe USB memory devices, it is through the equipment after the initialization process of certificate server, with the illegal use that prevents the USB memory device or lose the leakage of data that causes by the generic USB memory device.
2, USB storage device data anti-disclosure system according to claim 1, it is characterized in that: the system running environment that described client and server requires is operating system Windows 2000, XP, 2003 or Vista, and the hardware of supporting the aforesaid operations system.
3, USB storage device data anti-disclosure system according to claim 1 is characterized in that: the certificate management software in the described certificate server comprises following six functional modules:
Certificate database is used to preserve the certificate information of having issued, and mutual with various functional modules, finishes corresponding certificate issuance, authentication and maintenance function;
The management platform module is used to provide the user interface of the various man-machine interactions of checking, increase, deleting or revising of the operation start that comprises user's initialization USB memory device, certificate repository information;
The certificate issuance module is used for accepting the instruction of management platform module, for the USB memory device is issued certificate when the initialization of USB memory device;
The certificate maintenance module is used for accepting the instruction of management platform module in the use of USB memory device, the operation that the various certificate data in the certificate repository are checked, increase, deleted or revise;
With the client communication module, be used for and the client software of main frame between communicate, finish the safety certificate of USB memory device and transmit the certificate private key function;
The certificate verification module is used to finish the authentication of the USB memory device certificate that client is used.
4, USB storage device data anti-disclosure system according to claim 1 is characterized in that: the client software in the described client comprises following five functional modules:
USB memory device plug monitoring module is used for detecting automatically the plugging condition of the USB memory device on the client host, in case when having detected the USB memory device and inserting, call the USB memory device automatically and use control module;
The USB memory device uses control module, adopts the certificate verification mode, and whether control USB memory device is allowed to use on client host, promptly forbids being used for client host without the USB memory device of security initialization;
With the certificate server communication module, be used for communicating with certificate management server, the certificate verification of assisting the USB memory device to use control module to finish jointly on the USB memory device is operated;
Transparent encryption and decryption module, driver as the system kernel layer, call enciphering and deciphering algorithm and realize that module comes read-write operation to the safe USB memory device that uses on the client host to carry out transparent encryption and decryption and handle, and have the transparent encryption and decryption processing capacity of filename/folder name;
Enciphering and deciphering algorithm is realized module, adopts this module of The Component Object Model COM technological development, and its form of software is dynamic link library (DLL) or EXE file, is used to finish the transparent encryption and decryption processing that reads and writes data of USB memory device; Key setting, data encryption, three functional interfaces of data decryption externally are provided, and this module can realize dynamic replacement by the client, and the com component dynamic base that promptly meets this modular design requirement can directly be replaced use, to change enciphering and deciphering algorithm.
5, a kind of using method of the USB storage device data anti-disclosure system based on certificate and transparent encryption technology is characterized in that, comprises following operation steps:
(1) difference erecting act management software and client software in the webserver and each main frame;
(2) at certificate server the USB memory device being carried out security initialization handles: by certificate server is that each USB memory device generates new unique certificate, and the certificate information that will encrypt writes the untapped hiding sector in the USB memory device, so that earlier each USB memory device is authenticated in use, determine whether this USB memory device allows to use on main frame;
(3) initialized safe USB memory device is provided to internal user used: because of the certificate information of encrypting is hidden on the equipment, the user is difficult to duplicate and discern, common deletion or high-level formatting operation can not destroy certificate information, can guarantee that safe USB memory device is not by counterfeit or damage easily; And filename/folder name of storing on the safe USB memory device all realized the transparent encryption processing, guarantees data security;
(4) the normal use of safe USB memory device: client software and certificate server initiatively authenticate each the USB memory device that inserts client respectively earlier, again the reading and writing data of USB memory device by authentication are done transparent encryption and decryption processing; User's using method is as the generic USB memory device.
6, the using method of USB storage device data anti-disclosure system according to claim 5 is characterized in that, described step (2) further comprises following content of operation:
(21) the USB memory device is inserted into certificate server;
(22) operation-interface that provides of the management platform module of keeper by certificate management software in the certificate server is selected initialization operation;
(23) the certificate issuance module of certificate management software generates new certificate, and the certificate information of this new encryption is written to the untapped hiding sector of USB;
(24) announced certificate information and this certificate private key are stored in the certificate database.
7, the using method of USB storage device data anti-disclosure system according to claim 5 is characterized in that, described step (4) further comprises following content of operation:
(40) safe USB memory device is inserted on the client host;
(41) plug of the USB memory device in client software monitoring module detects equipment in real time and inserts message, and notice USB memory device uses control module;
(42) the USB memory device uses control module to read the certificate information of encrypting on the hiding sector, and calls and the certificate server communication module, by this communication module the certificate information of encrypting is sent to certificate server, requests verification;
(43) the certificate management software in the certificate server carries out safety verification to the certificate information of this encryption, and will verify that the result sends to client;
(44) in the client software receive certificate server checking result with the certificate server communication module after, will verify that the result delivers USB memory device use control module and reads and judge; If the verification passes, then continue to carry out subsequent operation; Otherwise the USB memory device uses control module to unload the USB memory device automatically, forbids its use, and jump procedure (49), finishes all operations;
(45) the USB private key corresponding with this certificate that use control module that certificate server is returned is set to transparent encryption and decryption module, so that the key that private key is handled as the transparent encryption and decryption of corresponding USB memory device;
(46) transparent encryption and decryption module is intercepted and captured the read-write operation of disk, and uses current key to call enciphering and deciphering algorithm realization module the data of each read-write operation are carried out transparent encryption and decryption processing; Simultaneously transparent encryption and decryption is done in the storage and the demonstration of filename/folder name;
(47) after the USB memory device was extracted by the user, USB plug monitoring module detected equipment in real time and extracts message, promptly notifies USB to use control module;
(48) the USB encryption and decryption key that uses control module to notify transparent encryption and decryption module to use is just now destroyed;
(49) finish.
8, according to the using method of claim 5 or 7 described USB storage device data anti-disclosure systems, it is characterized in that: described certificate adopts asymmetric cryptosystem, and promptly each digital certificate is all to having certificate PKI and private key; And transparent enciphering and deciphering algorithm adopts DSE arithmetic, promptly has only a key; And transparent enciphering and deciphering algorithm adopts the private key of encrypted certificate as its key.
9, the using method of USB storage device data anti-disclosure system according to claim 7 is characterized in that, described step (43) further comprises following content of operation:
(431) in the certificate server certificate management software receive certification authentication request and ciphertext certificate with the client communication module;
(432) send this certification authentication request and ciphertext certificate to the certificate verification module with the client communication module;
Whether (433) certificate verification module is decrypted processing to the ciphertext certificate, and makes comparisons with the corresponding data in the certificate database, legal to verify this certificate;
(434) certificate verification module with legal/illegal checking result by returning to client with the client communication module; And if certificate is legal, need the private key of this certificate is returned to client simultaneously.
10, the using method of USB storage device data anti-disclosure system according to claim 5, it is characterized in that: the described method that the certificate information of encrypting is write in the untapped hiding sector of USB memory device is: when formatting diskette, the sector that every kind of file system all leaves some is not used, and these sectors that are not used are according to the difference of file system and the position on disk is different; Choose some safe sectors by test again and be used to preserve certificate information, and actual write the sector before, carry out safety detection earlier, guarantee that this sector is not used;
The described method that transparent encryption and decryption is done in the storage and the demonstration of filename/folder name is: on internal system network main frame, when the user opened USB memory device logical volume, the filename of demonstration was user-defined normal file name; But the time filename encrypted of actual storage on the disk; But do not installing on the main frame of client software, the filename of seeing when opening safe USB memory device all is a ciphertext.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100641886A CN100449561C (en) | 2007-03-05 | 2007-03-05 | Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2007100641886A CN100449561C (en) | 2007-03-05 | 2007-03-05 | Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101017525A true CN101017525A (en) | 2007-08-15 |
| CN100449561C CN100449561C (en) | 2009-01-07 |
Family
ID=38726526
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2007100641886A Expired - Fee Related CN100449561C (en) | 2007-03-05 | 2007-03-05 | Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100449561C (en) |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101894232A (en) * | 2010-07-26 | 2010-11-24 | 深圳市永达电子股份有限公司 | Safe input method applied to identity authentication and input terminal |
| CN101938461A (en) * | 2009-06-29 | 2011-01-05 | 索尼公司 | Netscape messaging server Netscape, messaging device and information processing method |
| CN101291333B (en) * | 2008-05-19 | 2011-10-26 | 北京深思洛克软件技术股份有限公司 | Controlling method of used node number by network software |
| CN102279814A (en) * | 2011-08-19 | 2011-12-14 | 北方工业大学 | Encryption anti-copy system and anti-copy method thereof |
| CN102404161A (en) * | 2010-09-14 | 2012-04-04 | 北京哈工大计算机网络与信息安全技术研究中心 | Method and universal serial bus (USB) equipment for detecting secret leakage |
| CN102724137A (en) * | 2012-05-30 | 2012-10-10 | 杭州华三通信技术有限公司 | Method and system for safely using credible mobile storage medium in off-line state |
| CN102902635A (en) * | 2012-09-29 | 2013-01-30 | 无锡华御信息技术有限公司 | Safety U disk system for enterprises |
| CN102916941A (en) * | 2012-09-19 | 2013-02-06 | 无锡华御信息技术有限公司 | Method and system for safely managing files based on pre-installation environment (PE) system |
| CN103095669A (en) * | 2011-11-08 | 2013-05-08 | 联想(北京)有限公司 | Method, device and equipment for connection establishment |
| CN103326859A (en) * | 2013-05-31 | 2013-09-25 | 国家电网公司 | System and method for safety certification based on catalog |
| CN103532958A (en) * | 2013-10-21 | 2014-01-22 | 济南政和科技有限公司 | Method for encrypting website resources |
| CN103632080A (en) * | 2013-11-06 | 2014-03-12 | 国家电网公司 | Mobile data application safety protection system and mobile data application safety protection method based on USBKey |
| CN103944721A (en) * | 2014-04-14 | 2014-07-23 | 天津艾宝卓越科技有限公司 | Method and device for protecting terminal data security on basis of web |
| CN104680055A (en) * | 2015-03-02 | 2015-06-03 | 北京威努特技术有限公司 | Control method for performing management on U disk after access into industrial control system network |
| CN105359157A (en) * | 2013-07-09 | 2016-02-24 | 国际商业机器公司 | A network security system |
| CN106209871A (en) * | 2016-07-18 | 2016-12-07 | 四川君逸数码科技股份有限公司 | The Wired Security access control apparatus of financial circles network and cut-in method |
| CN106612505A (en) * | 2015-10-23 | 2017-05-03 | 国网智能电网研究院 | Wireless sensor safety communication and anti-leakage positioning method based on region division |
| CN106845262A (en) * | 2015-12-03 | 2017-06-13 | 上海宝信软件股份有限公司 | Mobile memory medium data security protection method based on enterprise's cloud disk |
| CN107154848A (en) * | 2017-03-10 | 2017-09-12 | 深圳市盾盘科技有限公司 | A kind of data encryption based on CPK certifications and storage method and device |
| CN107566112A (en) * | 2016-06-30 | 2018-01-09 | 中国电信股份有限公司 | Dynamic encryption and decryption method and server |
| CN109196511A (en) * | 2016-06-03 | 2019-01-11 | 霍尼韦尔国际公司 | For locking and unlocking removable media in the inside and outside device and method used of protected system |
| CN109196509A (en) * | 2016-06-03 | 2019-01-11 | 霍尼韦尔国际公司 | Device and method for the file access for preventing the node by protected system from carrying out |
| CN109782649A (en) * | 2018-11-27 | 2019-05-21 | 湖南铁路科技职业技术学院 | Integrated train control system |
| CN111600718A (en) * | 2020-05-13 | 2020-08-28 | 广东电网有限责任公司电力科学研究院 | Digital certificate offline authentication system and method |
| CN114189326A (en) * | 2021-12-10 | 2022-03-15 | 中科计算技术西部研究院 | Multiple encryption system and decryption method of plug-in type encryption terminal |
| CN114357423A (en) * | 2021-12-20 | 2022-04-15 | 国家电网有限公司 | Data security management system based on transparent encryption, computer equipment and terminal |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005341519A (en) * | 2003-07-28 | 2005-12-08 | Giken Shoji International Co Ltd | Usb token electronic certificate storing system |
| US9331990B2 (en) * | 2003-12-22 | 2016-05-03 | Assa Abloy Ab | Trusted and unsupervised digital certificate generation using a security token |
| EP1659474A1 (en) * | 2004-11-15 | 2006-05-24 | Thomson Licensing | Method and USB flash drive for protecting private content stored in the USB flash drive |
| JP4385261B2 (en) * | 2005-03-25 | 2009-12-16 | 日本電気株式会社 | Terminal authentication, terminal change method, operation terminal, authentication server, and authentication program |
| CN100495421C (en) * | 2006-03-23 | 2009-06-03 | 李岳 | Authentication protection method based on USB device |
| CN100454321C (en) * | 2006-04-29 | 2009-01-21 | 北京飞天诚信科技有限公司 | USB device with data memory and intelligent secret key and control method thereof |
-
2007
- 2007-03-05 CN CNB2007100641886A patent/CN100449561C/en not_active Expired - Fee Related
Cited By (43)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101291333B (en) * | 2008-05-19 | 2011-10-26 | 北京深思洛克软件技术股份有限公司 | Controlling method of used node number by network software |
| CN101938461B (en) * | 2009-06-29 | 2014-07-30 | 索尼公司 | Information processing server, information processing apparatus, and information processing method |
| CN101938461A (en) * | 2009-06-29 | 2011-01-05 | 索尼公司 | Netscape messaging server Netscape, messaging device and information processing method |
| CN101894232B (en) * | 2010-07-26 | 2012-09-12 | 深圳市永达电子股份有限公司 | Safe input method applied to identity authentication |
| CN101894232A (en) * | 2010-07-26 | 2010-11-24 | 深圳市永达电子股份有限公司 | Safe input method applied to identity authentication and input terminal |
| CN102404161A (en) * | 2010-09-14 | 2012-04-04 | 北京哈工大计算机网络与信息安全技术研究中心 | Method and universal serial bus (USB) equipment for detecting secret leakage |
| CN102404161B (en) * | 2010-09-14 | 2015-05-20 | 北京哈工大计算机网络与信息安全技术研究中心 | Method and universal serial bus (USB) equipment for detecting secret leakage |
| CN102279814A (en) * | 2011-08-19 | 2011-12-14 | 北方工业大学 | Encryption anti-copy system and anti-copy method thereof |
| CN103095669A (en) * | 2011-11-08 | 2013-05-08 | 联想(北京)有限公司 | Method, device and equipment for connection establishment |
| CN102724137A (en) * | 2012-05-30 | 2012-10-10 | 杭州华三通信技术有限公司 | Method and system for safely using credible mobile storage medium in off-line state |
| CN102724137B (en) * | 2012-05-30 | 2017-04-19 | 杭州华三通信技术有限公司 | Method and system for safely using credible mobile storage medium in off-line state |
| CN102916941A (en) * | 2012-09-19 | 2013-02-06 | 无锡华御信息技术有限公司 | Method and system for safely managing files based on pre-installation environment (PE) system |
| CN102902635B (en) * | 2012-09-29 | 2015-01-07 | 无锡华御信息技术有限公司 | Safety U disk system for enterprises |
| CN102902635A (en) * | 2012-09-29 | 2013-01-30 | 无锡华御信息技术有限公司 | Safety U disk system for enterprises |
| CN103326859B (en) * | 2013-05-31 | 2015-06-24 | 国家电网公司 | System and method for safety certification based on catalog |
| CN103326859A (en) * | 2013-05-31 | 2013-09-25 | 国家电网公司 | System and method for safety certification based on catalog |
| US10587581B2 (en) | 2013-07-09 | 2020-03-10 | International Business Machines Corporation | Network security processing |
| US11082405B2 (en) | 2013-07-09 | 2021-08-03 | International Business Machines Corporation | Network security processing |
| CN105359157B (en) * | 2013-07-09 | 2017-12-29 | 国际商业机器公司 | The network safety system and method for alarm are generated for detecting security breaches |
| US10110565B2 (en) | 2013-07-09 | 2018-10-23 | International Business Machines Corporation | Network security processing |
| CN105359157A (en) * | 2013-07-09 | 2016-02-24 | 国际商业机器公司 | A network security system |
| US9887963B2 (en) | 2013-07-09 | 2018-02-06 | International Business Machines Corporation | Network security processing |
| CN103532958A (en) * | 2013-10-21 | 2014-01-22 | 济南政和科技有限公司 | Method for encrypting website resources |
| CN103632080B (en) * | 2013-11-06 | 2016-08-17 | 国家电网公司 | A kind of mobile data applications method for security protection based on USBKey |
| CN103632080A (en) * | 2013-11-06 | 2014-03-12 | 国家电网公司 | Mobile data application safety protection system and mobile data application safety protection method based on USBKey |
| CN103944721A (en) * | 2014-04-14 | 2014-07-23 | 天津艾宝卓越科技有限公司 | Method and device for protecting terminal data security on basis of web |
| CN104680055A (en) * | 2015-03-02 | 2015-06-03 | 北京威努特技术有限公司 | Control method for performing management on U disk after access into industrial control system network |
| CN106612505A (en) * | 2015-10-23 | 2017-05-03 | 国网智能电网研究院 | Wireless sensor safety communication and anti-leakage positioning method based on region division |
| CN106845262A (en) * | 2015-12-03 | 2017-06-13 | 上海宝信软件股份有限公司 | Mobile memory medium data security protection method based on enterprise's cloud disk |
| CN109196511B (en) * | 2016-06-03 | 2024-03-12 | 霍尼韦尔国际公司 | Apparatus and method for locking and unlocking removable media for use inside and outside a protected system |
| CN109196511A (en) * | 2016-06-03 | 2019-01-11 | 霍尼韦尔国际公司 | For locking and unlocking removable media in the inside and outside device and method used of protected system |
| CN109196509A (en) * | 2016-06-03 | 2019-01-11 | 霍尼韦尔国际公司 | Device and method for the file access for preventing the node by protected system from carrying out |
| CN109196509B (en) * | 2016-06-03 | 2023-09-08 | 霍尼韦尔国际公司 | Apparatus and method for preventing file access by nodes of protected system |
| CN107566112A (en) * | 2016-06-30 | 2018-01-09 | 中国电信股份有限公司 | Dynamic encryption and decryption method and server |
| CN106209871A (en) * | 2016-07-18 | 2016-12-07 | 四川君逸数码科技股份有限公司 | The Wired Security access control apparatus of financial circles network and cut-in method |
| CN107154848A (en) * | 2017-03-10 | 2017-09-12 | 深圳市盾盘科技有限公司 | A kind of data encryption based on CPK certifications and storage method and device |
| CN109782649B (en) * | 2018-11-27 | 2021-07-27 | 湖南铁路科技职业技术学院 | Integrated train control system |
| CN109782649A (en) * | 2018-11-27 | 2019-05-21 | 湖南铁路科技职业技术学院 | Integrated train control system |
| CN111600718A (en) * | 2020-05-13 | 2020-08-28 | 广东电网有限责任公司电力科学研究院 | Digital certificate offline authentication system and method |
| CN111600718B (en) * | 2020-05-13 | 2022-01-25 | 广东电网有限责任公司电力科学研究院 | Digital certificate offline authentication system and method |
| CN114189326A (en) * | 2021-12-10 | 2022-03-15 | 中科计算技术西部研究院 | Multiple encryption system and decryption method of plug-in type encryption terminal |
| CN114189326B (en) * | 2021-12-10 | 2024-04-26 | 中科计算技术西部研究院 | Multiple encryption system and decryption method of plug-in type encryption terminal |
| CN114357423A (en) * | 2021-12-20 | 2022-04-15 | 国家电网有限公司 | Data security management system based on transparent encryption, computer equipment and terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100449561C (en) | 2009-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100449561C (en) | Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology | |
| CN103065102B (en) | Data encryption mobile storage management method based on virtual disk | |
| CN102402664B (en) | Data access control device and data access control method | |
| CN100464315C (en) | Mobile memory divulgence protection method and system | |
| CN100495421C (en) | Authentication protection method based on USB device | |
| CN101237353B (en) | A method and system for monitoring mobile storage device based on USBKEY | |
| CN103530570A (en) | Electronic document safety management system and method | |
| JP2003067256A (en) | Data protection method | |
| CN104123506B (en) | Data access method, device, data encryption, storage and access method, device | |
| JP2007522707A (en) | Backup and restoration of DRM security data | |
| CN102495982A (en) | Process threading-based copy-protection system and copy-protection storage medium | |
| CN101635018A (en) | Method of safety ferriage of USB flash disk data | |
| US20080123858A1 (en) | Method and apparatus for accessing an encrypted file system using non-local keys | |
| CN105740725A (en) | File protection method and system | |
| US20140307869A1 (en) | Apparatus for handling bills and/or coins, and method for initializing and operating such an apparatus | |
| CN108287988B (en) | Security management system and method for mobile terminal file | |
| CN104363093A (en) | Method for encrypting file data by dynamic authorization code | |
| CN1266617C (en) | Computer data protective method | |
| CN101127013A (en) | Enciphered mobile storage apparatus and its data access method | |
| CN101339589B (en) | Method for implementing information safety by dummy machine technology | |
| CN102184370B (en) | Document security system based on microfiltration drive model | |
| CN115913560A (en) | Confidential paper authorization and use system | |
| CN113901507A (en) | Multi-party resource processing method and privacy computing system | |
| CN100525176C (en) | Preventing system for information leakage under cooperative work environment and its realizing method | |
| CN107273725A (en) | A kind of data back up method and system for classified information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20090107 Termination date: 20100305 |